CLAIMS 



What is claimed is: 

1. A method for controlling access to a computer system comprising: 

classifying applications running on an untrusted computer system as running in one of a 
trusted application execution context and an untrusted application execution context; and 

preventing an application on said untrusted computer system from initiating a connection 
with a trusted computer system unless said untrusted computer system is running said 
application in said trusted application execution context. 

2. The method in claim 1, wherein said trusted computer system can initiate connections 
with any execution context on said untrusted computer system. 

3. The method in claim 1, wherein only said untrusted application execution contexts on 
said untrusted system can initiate connections with said external computer system. 

4. The method in claim 1, wherein said applications are classified as having said trusted 
application execution contexts and said untrusted application execution contexts based on 
distinctive application execution context names. 

5. The method in claim 4, wherein a human administrator of said untrusted system assigns 
said distinctive application execution context names. 

6. The method in claim 4, wherein said applications cannot change the names of respective 
execution contexts in which said applications are running. 
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7. 



The method in claim 4, wherein said applications cannot change the name of any 
execution context in said untrusted computer system. 



8. The method in claim 1, wherein connections originating on said external system can 
terminate only at said untrusted system and only at said untrusted execution contexts 
therein. 

9. The method in claim 1, wherein said untrusted application execution contexts are fenced 
off from said untrusted computer system such that said untrusted application execution 
application contexts cannot interrogate or change critical system data of said untrusted 
computer system. 

10. A method for controlling access to a trusted computer system comprising: 

determining a name of an execution context of an application running on an untrusted 
system; 

determining whether said execution context is trusted or untrusted based on said name; 

if said execution context is trusted, permitting said application to initiate a connection 
with said trusted system, and 

if said execution context is untrusted, preventing said application from initiating a 
connection with said trusted computer system. 

11. The method in claim 10, wherein said trusted computer system can initiate connections 
with any execution context on said untrusted computer system. 



END9-1999-0107 



11 



1 12. The method in claim 10, wherein only said untrusted application execution contexts on 

2 said untrusted system can initiate connections with an external computer system. 

1 13. The method in claim 10, wherein said execution context name was previously assigned 

2 by a human administrator. 

1 14. The method in claim 10, wherein there are a plurality of applications running on said 

2 untrusted computer system, one of said applications having a trusted execution context 

3 and another of said applications having an untrusted execution context. 

1 15. The method in claim 14, wherein said applications cannot change names of the respective 

2 execution contexts in which said applications are running, 
rl 

Qt 16. The method in claim 14, wherein said applications cannot change the name of any 
Ij2 execution context in said untrusted computer system. 

ui 

njl 17. The method in claim 10, wherein connections originating on an external system can 

s 

f i terminate only at said untrusted system and only at said untrusted execution contexts 

■ ?3 

"2? therein. 

\\i 

Q 

pl 18. The method in claim 10, wherein said untrusted application execution contexts are fenced 

2 off from said untrusted computer system such that said untrusted application execution 

3 application contexts cannot interrogate or change critical system data of said untrusted 

4 computer system. 

1 19. A program storage device readable by machine, tangibly embodying a program of 

2 instructions executable by the machine to perform a method for controlling access to a 

3 computer system, said method comprising: 
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4 classifying applications running on an untrusted computer system as running in one of a 

5 trusted application execution context and an untrusted application execution context; and 

6 preventing an application on said untrusted computer system from initiating a connection 

7 with a trusted computer system unless said untrusted computer system is running said 

8 application in said trusted application execution context. 

1 20. The program storage device in claim 19, wherein said trusted computer system can 

2 initiate connections with any execution context on said untrusted computer system. 

1 21. The program storage device in claim 19, wherein only said untrusted application 

2 execution contexts on said untrusted system can initiate connections with said external 
C| computer system. 

m 

gl 22. The program storage device in claim 19, wherein said applications are classified as 
fk having said trusted application execution contexts and said untrusted application 

n3 execution contexts based on distinctive application execution context names. 

3 

CJ 

M 23. The program storage device in claim 22, wherein a human administrator of said untrusted 
£2 system assigns said distinctive application execution context names. 

rl 

1 24. The program storage device in claim 22, wherein said applications cannot change names 

2 of respective execution contexts in which said applications are running. 

1 25. The method in claim 22, wherein said applications cannot change the name of any 

2 execution context in said untrusted computer system. 
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26. The program storage device in claim 19, wherein connections originating on said external 
system can terminate only at said untrusted system only at said untrusted execution 
contexts therein. 

27. The program storage device in claim 19, wherein said untrusted application execution 
contexts are fenced off from said untrusted computer system such that said untrusted 
application execution contexts cannot interrogate or change critical system data of said 
untrusted computer system. 

28. A system for controlling access to a network comprising: 
a trusted computer system; 

an untrusted computer system connected to said trusted computer system and to an 
external computer system, 

wherein said untrusted system includes applications classified as having trusted 
application execution contexts and untrusted application execution contexts, and 

wherein only said trusted application execution contexts can initiate connections with 
said trusted computer system. 

29. The system in claim 28, wherein said trusted computer system can initiate connections 
with any execution context on said untrusted computer system. 

30. The system in claim 28, wherein only said untrusted application execution contexts on 
said untrusted system can initiate connections with said external computer system. 
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31. The system in claim 28, wherein said applications are classified as having said trusted 
application execution contexts and said untrusted application execution contexts based on 
distinctive application execution context names. 

32. The system in claim 31, wherein a human administrator of said untrusted system assigns 
said distinctive application execution context names. 

33. The system in claim 31, wherein said applications cannot change the names of respective 
execution contexts in which said applications are running. 

34. The method in claim 31, wherein said applications cannot change the name of any 
execution context in said untrusted computer system. 

35. The system in claim 28, wherein connections originating on said external system can 
terminate only at said untrusted system and only at said untrusted execution contexts 
therein. 

36. The system in claim 28, wherein said untrusted application execution contexts are fenced 
off from said untrusted computer system such that said untrusted application execution 
application contexts cannot interrogate or change critical system data of said untrusted 
computer system. 
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